A denial-of-service (DoS) attack, hereinafter referred to as “DoS attack”, may diminish availability of a network or a server with respect to a website, a domain name server, and the like. More particularly, a distributed denial of service (DDoS) attack, hereinafter referred to as “DDoS attack”, may refer to a method for simultaneously performing a DoS attack in multiple zombie computers contaminated by malicious viruses.
Here, an Internet control message protocol (ICMP) may provide information on an error status and a status change between hosts, or between a host and a router, provide a function for responding to a request, and may not require an activated service or a port.
In this instance, an ICMP flooding during the DDoS attack may be performed in a manner in which a large volume of ICMP packets are transferred to a target of an attack, abusing characteristics of the ICMP.
However, conventional schemes for detecting and responding to an attack may have an issue in distinguishing an action of a normal user and an action of a malicious user, and indiscriminately blocking by measuring a traffic may lead to blocking of normal user traffic. Accordingly, there is a need for a scheme for selectively blocking only an attacking traffic by a malicious user while protecting a traffic of a normal user.